Transcription

2 Agenda Current State of Web Application Security Understanding Web Application Attacks Demo of the 4 top vulnerabilities affecting Web Application and how they can be exploited How to automatically find these vulnerabilities on your Web Site QM07 The Top Web Application Attacks: Are you vulnerable? 2

8 Why Application Security Problems Exist Root Cause: Developers are not trained to write or test for secure code Firewalls and IDS/IPS systems don t block application attacks. Port 80/443 is wide open for attack. Network scanners won t find application vulnerabilities. Network security (firewall, IDS, etc) do nothing once an organization web enables an application. Current State: Goal: Organizations test tactically at a late & costly stage in the SDLC A communication gap exists between security and development as such vulnerabilities are not fixed Testing coverage is incomplete To build better and more secure applications/websites QM07 The Top Web Application Attacks: Are you vulnerable? 8

11 Security The Myth: Our Site Is Safe We Have Firewalls in Place We Audit It Once a Quarter with Pen Testers We use SSL We Use Network Vulnerability Scanners QM07 The Top Web Application Attacks: Are you vulnerable? 11

12 OWASP and the OWASP Top 10 list Open Web Application Security Project an open organization dedicated to fight insecure software The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are We will use the Top 10 list to cover some of the most common security issues in web applications QM07 The Top Web Application Attacks: Are you vulnerable? 12

14 1. Cross-Site Scripting (XSS) What is it? Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context What are the implications? Session Tokens stolen (browser security circumvented) Complete page content compromised Future pages in browser compromised QM07 The Top Web Application Attacks: Are you vulnerable? 14

15 Demonstration Cross Site Scripting Main points covered in the demo or video: Locating an a place where user input which is echoed back to the browser Seeing if the user input is echoed back asis or if it is properly encoded Exploiting the vulnerability QM07 The Top Web Application Attacks: Are you vulnerable? 15

16 XSS Example I HTML code: QM07 The Top Web Application Attacks: Are you vulnerable? 16

18 XSS Details Common in Search, Error Pages and returned forms. But can be found on any type of page Any input may be echoed back Path, Query, Post-data, Cookie, Header, etc. Browser technology used to aid attack XMLHttpRequest (AJAX), Flash, IFrame Has many variations XSS in attribute, DOM Based XSS, etc. QM07 The Top Web Application Attacks: Are you vulnerable? 18

20 Exploiting XSS If I can get you to run my JavaScript, I can Steal your cookies for the domain you re browsing Track every action you do in that browser from now on Redirect you to a Phishing site Completely modify the content of any page you see on this domain Exploit browser vulnerabilities to take over machine QM07 The Top Web Application Attacks: Are you vulnerable? 20

21 2 - Injection Flaws What is it? User-supplied data is sent to an interpreter as part of a command, query or data. What are the implications? SQL Injection Access/modify data in DB SSI Injection Execute commands on server and access sensitive data LDAP Injection Bypass authentication QM07 The Top Web Application Attacks: Are you vulnerable? 21

28 Demonstration SQL Injection Main points covered in the demo or video: How to find a SQL injection vulnerability How to exploit a SQL injection vulnerability QM07 The Top Web Application Attacks: Are you vulnerable? 28

29 3 - Malicious File Execution What is it? Application tricked into executing commands or creating files on server What are the implications? Command execution on server complete takeover Site Defacement, including XSS option QM07 The Top Web Application Attacks: Are you vulnerable? 29

30 Demonstration Malicious File Main points covered in the demo or video: Demonstrating how a Malicious File Exploit attack can be used to get access to system files QM07 The Top Web Application Attacks: Are you vulnerable? 30

31 Malicious File Execution Example I QM07 The Top Web Application Attacks: Are you vulnerable? 31

34 4 - Insecure Direct Object Reference What is it? Part or all of a resource (file, table, etc.) name controlled by user input. What are the implications? Access to sensitive resources Information Leakage, aids future hacks QM07 The Top Web Application Attacks: Are you vulnerable? 34

35 Demonstration Insecure Direct Object References Main points covered in the demo or video: Demonstrating how to extract files from the host system using the poison null byte attack QM07 The Top Web Application Attacks: Are you vulnerable? 35

39 Organizations must mitigate the risk! Organizations need to mitigate the risk of a Web Application Security breach! They need to find and remediate vulnerabilities in their Web Applications before they are exploited by Hackers IBM Rational AppScan is the tool to help them do this! QM07 The Top Web Application Attacks: Are you vulnerable? 39

43 Testing early reduces cost and time to market Found in Design Found in Coding Found in Integration Found in Beta Found in GA Design Errors 1x 5x 10x 15x 30x Coding Errors 1x 10x 20x 30x Integration Errors 1x 10x 20x * QM07 The Top Web Application Attacks: Are you vulnerable? 43

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional

Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online

This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running

Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development